Desvendando o desenvolvimento seguro de software
-
Upload
allyson-chiarini -
Category
Technology
-
view
469 -
download
3
description
Transcript of Desvendando o desenvolvimento seguro de software
IBM Technical Summit 2013
Erik OliveiraSenior Security Consultant, IBM Security [email protected]
© 2013 IBM Corporation
2
Please note the following
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3
Mundo interconectado
Organizações continuam mudando para novas plataformas, inclusive computação em
nuvem, virtualização, dispositivos móveis, negócio social e muito mais
TUDO ESTÁ EM TODA
PARTE
Com o advento da Empresa 2.0 e do negócio social, desapareceu a linha entre tempo,
dispositivos e dados pessoais e profissionais
CONSUMERIZAÇÃO DA TI
A era do "Big Data" – a explosão da informação digital – chegou e é facilitada pela difusão de aplicativos acessados de todos os
lugares
EXPLOSÃO DE DADOS
A velocidade e destreza dos ataques aumentaram, associados a novos agentes
com novas motivações, do crime cibernético e terrorismo, até invasões patrocinadas por
governos
SOFISTICAÇÃO DOS ATAQUES
4
Seu dispositivo é
5
Mobile Malware 2013
Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013
6
Distribuição de Vulnerabilidade por linguagem
7
Contexto Mundial
Tipo de ataque
Injeção SQL
Manipulação de URL
Phishing focalizado
SW de terceiros
DDoS
Secure ID
Desconhecido
Mar Abril Maio Junho Julho AgoFev
Sony
Epsilon
L3 Communications Sony BMG
Grécia
Senado dos EUAOTAN
Polícia do Arizona
GovernoTurco
SK Communications
Coreia
Monsanto
RSAHB Gary
NintendoGov.
Brasileiro
Lockheed Martin
Vanguard Defense
Booz Allen
Hamilton
PBS
PBS
SOCA
Site do gov. malaio Polícia
peruana
Contas do Gmail
Policia Federal
espanhola
Citigroup
Sega
Fox News X-Factor
Site do premier italiano
FMI
Northrop Grumman
Software Bethesda
O tamanho do círculo estima o impacto relativo da quebra de
segurança
8
Custo da brecha
1,000,000x
10x
1x
Desenvolvimento Teste Produção
Dan
o a
Em
presa
Fluxo Funcional
Fluxo de Segurança
Custos:
Notificação ao cliente Multas Litígio Exposição da reputação Exposição da marca Custo para reparo
9
Detectando SQL Injection
// ... String username = request.getParameter("username"); String password = request.getParameter("password");
// ... String query = "SELECT * from tUsers where " +
"userid='" + username + "' " + "AND password='" + password + "'";
// ...
ResultSet rs = stmt.executeQuery(query);
Usuário pode mudar o SQL executado commandos
Sink – um potencial método perigoso
Source – um métodos retornando string insegura
10
Detectando SQL Injection
// ...
String password = request.getParameter("password");
// ...
"userid='" + username + "' " + "AND password='" + password + "'";
// ...
String username = request.getParameter("username");
String query = "SELECT …" + username
ResultSet rs = stmt.executeQuery(query);
String username = request.getParameter("username");
String query = "SELECT * from tUsers where " +'
ResultSet rs = stmt.executeQuery(query);
11
Detectando SQL Injection
String username = request.getParameter("username");
String query = "SELECT …" + username
username = ‘anything' OR 'x'='x ‘
username = ‘x' AND userid IS NULL; --‘
username = ‘x' AND 1=(SELECT COUNT(*) FROM tabname); --‘
12
Fluxo de dados
METHOD process
METHOD read
s_html
Stored in variable
s_data
s_out
Input
request->get_form_field()
Output
out->print_string()
Passed on to another method and variable
Modifed and copied to another variable
Passed on to dangerous function
METHOD process .
DATA: s_out TYPE string. DATA: out TYPE REF TO if_bsp_writer.
CONCATENATE `<b>`s_data`</b>`INTO s_out.
out = me->get_previous_out( ).
out->print_string( s_out ).
ENDMETHOD.
METHOD read .
DATA: request TYPE REF TO if_http_request. DATA: s_html TYPE string. DATA: event TYPE string.
s_html = request->get_form_field( 'mydata' ).
CALL METHOD me->process EXPORTING s_data = s_html. RETURN.
ENDMETHOD.
1
3
4
2
13
Como funciona AppScan
Scan das aplicações Análise
(identificar riscos)
Automação de Testes de Segurança em Aplicações
Relatório
(detalhado e assertivo)
Fix
14
Ciclo de Vida
AppScan Standard(desktop)
AppScan Enterprise user
(web client)
AppScan Enterprise userAppScan Standard
(scanning agent)
Eclipse, Visual
Studio, RAD
Gerenciamento de Ameaças
IBM AppScan Enterprise Server
CODIFICAÇÃOCODIFICAÇÃO BUILDBUILD QAQASEGURANCA E
PRODUÇÃOSEGURANCA E
PRODUÇÃO
AppScan Source for Automation
AppScan Standard (via CLI)
AppScan Source usersAppScan Enterprise user
Build Management
15
AppScan
IDE Plug-InsIDE Plug-Ins
• Fluxo de InvestigaçãoFluxo de Investigação
• Guia de remediaçãoGuia de remediação
• ScanScan
• Confirmação de FixConfirmação de Fix
• Fluxo de InvestigaçãoFluxo de Investigação
• Guia de remediaçãoGuia de remediação
• ScanScan
• Confirmação de FixConfirmação de Fix
Relatório CorporativoRelatório Corporativo
• Registro de progressoRegistro de progresso
• Compare ApplicationsCompare Applications
• Dashboardas Dashboardas customizadoscustomizados
• Gerenciamento de riscoGerenciamento de risco
• Registro de progressoRegistro de progresso
• Compare ApplicationsCompare Applications
• Dashboardas Dashboardas customizadoscustomizados
• Gerenciamento de riscoGerenciamento de risco
AutomaçãoAutomação
• Integração de BuidlIntegração de Buidl
• Scan automatizadosScan automatizados
• ANT, Make, MavenANT, Make, Maven
• APIs de acessos de APIs de acessos de dadosdados
• Integração de BuidlIntegração de Buidl
• Scan automatizadosScan automatizados
• ANT, Make, MavenANT, Make, Maven
• APIs de acessos de APIs de acessos de dadosdados
SegurançaSegurança
• Configuração de SoftwareConfiguração de Software
• ScanScan
• Triagem de ResultadosTriagem de Resultados
• Manage Security PoliciesManage Security Policies
• Configuração de SoftwareConfiguração de Software
• ScanScan
• Triagem de ResultadosTriagem de Resultados
• Manage Security PoliciesManage Security PoliciesAppScan Enterprise
Server
AppScan Enterprise
Server
• Base de conhecimento
• Banco de Assessment
• Regras Customizadas
• Base de conhecimento
• Banco de Assessment
• Regras Customizadas
16
AppScan
Templates
Wizards
Importe Eclipse Workspaces e soluções .NET
Matrix de Vulnerabilidade
Isolamento de vulnerabilidades confirmadas
Otimização de triagem de issues
Auxilia na falta de expertise de segurança
Filtros poderosos
Facilidade de utilização
Foco em baixo número de riscos prioritários
Filtros pré definidos
VulnerabilidadeConfirmadas
17
AppScan
Análise rápida
–Gereciamento de memória e cache
–Otimização de re-scan
–100+ patentes
Fluxo de dados / Fluxo de chamadas
–Suporte para longas trilhas
–Facilidade em idetificar código malicioso ou não
Desconsidera coisas que a análise não entende
Nada é ignorado
–Relatório de “Lost Sinks”
Análise de StringString Analysis
– Identifica de forma automática a validação de rotinas
– Tecnologia de IBM Research– Checa efetividade da validação lógica
18
AppScan
Java
JSP
C
C++
.NET– C#
– VB.NET
– ASP.NET
Classic ASP (VB6)
PHP
HTML
Perl
ColdFusion
Client-Side JavaScript
Server-Side JavaScript
VBScript
COBOL
PL/SQL
T-SQL
SAP ABAP
Android e IOS
Out-of-the-Box Extensível
Análises por expressão regular Definir regras customizadas Usar o poder da expressões regulares Associação de regras com maioria das
linguagem
Linguagem Suportadas
19
20
Acknowledgements and disclaimers
© Copyright IBM Corporation 2013. All rights reserved.
– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Other company, product, or service names may be trademarks or service marks of others.
Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
21
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.